I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

kind.

Julio Casal, founder and CTO at 4iQ, an identity threat intelligence company based in Los Altos, Calif., said the company's researchers found the repository on Dec. 5 while scanning the deep and dark web for "stolen, leaked or lost data." The 41 GB repository contained 1.4 billion stolen credentials stored in cleartext and gathered from 252 previous breaches, including breaches of LinkedIn and Pastebin.

Casal said the repository was more advanced than just a storage bin for the stolen credentials.

"This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover," Casal wrote in a Medium post. "This database makes finding passwords faster and easier than ever before. As an example searching for 'admin,' 'administrator' and 'root' returned 226,631 passwords of admin users in a few seconds."

Casal said this list of stolen credentials included the previous largest Exploit.in combo list -- that had exposed 797 million records -- and added data from an additional 133 breaches. The repo did not include stolen credentials from the Onliner spambot dump, another of the largest repositories of stolen credentials at 711 million accounts.

Reactions to the massive stolen credential repo

Experts noted that although the most frequently found passwords in the repository were not terribly secure -- top of the list were 123456, 123456789, qwerty and password -- users should beware of password reuse.

Tim Erlin, vice president of product management and strategy at Tripwire, the information security company headquartered in Portland, Ore., said that while the "sheer number of stolen credentials certainly makes for an impressive headline, it's unclear how many of these are new versus previously disclosed in another breach."

There have been so many breaches, and the complexity of creating and remembering passwords has become so great that passwords are now more effective at keeping legitimate users out of their own accounts than at stopping hackers.
John Gunnchief marketing officer, Vasco Data Security

"The reality is that these massive treasure troves of stolen credentials are out there on the dark web. Consumers need to be vigilant about changing their passwords and employing multi-factor authentication to prevent these stolen credentials from being used against them in the future," Erlin told SearchSecurity. "Consumers' best protection against stolen credentials being used against them is to regularly change passwords and to use multi-factor authentication wherever possible."

John Gunn, chief marketing officer at Vasco Data Security, an information security company headquartered in Oakbrook Terrace, Ill., said it is time the industry moved away from passwords altogether.

"There have been so many breaches, and the complexity of creating and remembering passwords has become so great that passwords are now more effective at keeping legitimate users out of their own accounts than at stopping hackers," Gunn told SearchSecurity. "Biometrics, behavior analysis and adaptive authentication are far more effective at stopping crime than passwords and they don't place any burden on the user -- this will quickly become the standard."

Philip Lieberman, president of Lieberman Software, a cybersecurity software company based in Los Angeles, agreed that traditional password systems were insufficient.

"The revelation of massive databases of credentials available on the dark web should concern regulators and governments about their lax policies on passwords, especially those used for elevated access. PCI and other regulatory standards that only require administrator password changes every 90 days are out of touch with reality," Lieberman told SearchSecurity. "Similarly, the obsession with removing clear text passwords by auditors and analysts via obfuscation rather than technology improvements, further cements the reality that current IT processes are out of step with the threats of today."

Join the conversation

2 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

The simple, not prefect solution: Download the repository of stolen id's and passwords. Then, when someone, anyone, tries to apply for any new account online, the organisation, bank, school, etc should compare the proposed password with the database, and then tell the applicant:

"Sorry, your password is already used elsewhere. Think, think, think (like Winnie the Pooh), and come up with something more complicated or unusual for your password.

(Pooh reference: https://www.youtube.com/watch?v=3U8pAM4VXvI

Of course, this doesn't do anything for the people who use and stick with "123456" as a password , but it's a baby step forward.